One of the purported user-friendly features of Microsoft's new operating system is turning out to be user-annoying.

As many as three times a week, on average, XP users see a little window pop-up at the bottom of their computer screens announcing the availability of another new update for their system. This plethora of patches has left many users wondering whether their hard drives are big enough to handle "Trustworthy Computing."

Users also complain that several of the patches made their systems unstable. And some were annoyed by the many-megabytes worth of available patches for what they feel are unimportant applications such as games and file-sharing applications, believing that Microsoft should instead focus on fixes for crucial security holes.

Security experts say that the auto-update feature is good in theory, but doesn't work as well as it should. In some cases, the updates have even interfered with previously installed security patches, leaving supposedly protected machines open to malicious hackers.

Experts also confirm that many serious holes in Microsoft programs remain unpatched and wonder when the much-touted Trustworthy Computing initiative will have measurable real-world results.

Microsoft itself is having problems keeping up with its cavalcade of patches. Programmer Thor Larholm notes that a patch MS02-018, which Microsoft deemed "critical" and released at the beginning of April, had not been applied to the company's own Hotmail and Hotmail Passport servers.

A Microsoft spokesperson confirmed that the servers had not been patched.

"MSN is working to implement this patch as quickly as possible," the spokeswoman said. "Given that MSN Hotmail serves over 110 million customers, it is an ongoing process and it does take some time to update each MSN Hotmail server."

Larholm said the unpatched servers leave Hotmail accounts open to several serious hack attacks. The spokeswoman said that as far as Microsoft knows, no customer information has been compromised.

Larholm has posted a list on his website of 14 other yet-unpatched vulnerabilities in Microsoft applications. He said in late March there were only two vulnerabilities on the list, but since then the number has grown steadily.

In response to Larholm's list, a Microsoft spokesman said the company feels that "promoting alleged vulnerabilities may put computer users at risk -- or at the very least, could cause needless confusion and apprehension."

Larholm was amused by that response.

"The last time I read the exact phrase 'or at the very least, could cause needless confusion and apprehension' was three days ago in a Microsoft response to another security related article. It's their new shrink-wrap response."

Larholm said that all the vulnerabilities listed on his page, discovered by various security experts, went through rigorous testing and acknowledgment by Microsoft before they were published by their disgruntled discoverers.

"You can be sure that any vulnerability listed is already being actively used," Larholm said. "The list itself exists to put pressure on Microsoft, in the tiny hope that they may patch these holes. I also do my best to assure that each issue on the list is provided with temporary solutions that can be applied immediately. Microsoft seems to think that customers prefer to stay exploitable for months while waiting for a patch."

Other security researchers agreed that Microsoft still has serious issues to address in securing its products and services, but said that the company was doing better.

Joel Scambray, co-author of Hacking Exposed, has been recently working closely with Microsoft on security issues. He believes the company is making real progress on its Trustworthy Computing initiative.

"I can see very graphically how Bill Gates' memo of Jan. 18 has galvanized the company and pushed them to reevaluate many fundamental issues with product security," Scambray said. "Behind the scenes, I think the correct steps are being taken to improve, it's just not visible yet."

Menashe Eliezer, manager of Finjan's Malicious Code Research Center, also agreed that Microsoft was doing better.

"The public doesn't see all the changes in Microsoft's strategy, but I'm sure that their programmers can tell you about it," Eliezer said. "I've seen a difference."

But Eliezer and Scambray both had questions about XP's auto-update feature. Both said the patches can conflict with each other, causing system problems and sometimes even removing previously installed protections.

"With the current Microsoft auto-update, you can't always be sure you're protected by the most current patches," Scambray said. "Microsoft has long had issues in trying to 'federate' their disparate outlets for software patches and updates. Until they get their act together on this score, I think their customers should remain familiar with manual methods of installing patches."

Larholm said he doubted there will be any improvement in the current generation of Microsoft products.

"Whatever it is that they have taught their horde of programmers remains to be seen," Larholm said. "Microsoft needs to redesign fundamental aspects of their software infrastructure, and until that has been done all we will see is workarounds and preliminary patches. Bottom line, everything is the same for now, but their intentions are promising."

Some users also complain that while serious security holes remain open, XP is regularly delivering patches for non-critical applications.

Some XP users were amused to see that Microsoft had included "compatibility patches" for several file-sharing applications in the April 2002 XP update.

"Windows XP has all these severe anti-piracy features built-in, yet the company is putting out patches to make sure that Kazaa and Grokster works well with XP," said Nicky Caldone, an attorney. "Call it what you will, file-sharing apps are all about pirating."

A Microsoft company spokesman said Microsoft doesn't consider what an application's purpose is when deciding whether to issue a compatibility update.

"It's still pretty funny that Microsoft, who has been quite vocal about the cost and consequences of piracy, would include patches for file-sharing applications in XP's updates," Caldone said.